Out of curiosity...
Is your "mail" attribute publicly queryable? If not, you may need to add some
authentication to the attribute release section of code as well.
I ran into that as well; ended up adding this code to my
deployerConfigContext.xml file:
<bean id="searchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="searchConnectionConfig" />
<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="${ldap.managerDn}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="${ldap.managerPassword}" />
</property>
</bean>
<bean id="abstractConnectionConfig" abstract="true"
class="org.ldaptive.ConnectionConfig"
p:ldapUrl="${ldap.url}"
p:connectTimeout="${ldap.connectTimeout}"
/>
and then modified my searchConnectionPool bean to reference the
searchConnectionFactory:
<bean id="searchConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="searchConnectionFactory"
/>
and then added the ldap.managerDN and ldap.managerPassword attributes to my
cas.properties file.
After doing so, I was able to get the attributes on the second query.
URLs I referenced:
http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html , which
led me to
http://jasig.github.io/cas/development/installation/LDAP-Authentication.html#active-directory-authentication
Chris
>>> Simon <[email protected]> 04/30/15 9:17 AM >>>
Hello Christopher,
Hello Misagh,
thank you very much, but I as far as I see this, my setup already corresponds
your recommendation:
@Christopher **Also, make sure the CAS URL you're referencing has ".../p3/..."
in it**
I'm using phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
It generates the url:
https://mycasserver:8443/cas/p3/serviceValidate?service=http%3A%2F%2F192.168.0.1%2Fcastest%2Findex.php
@Misagh **Possibly because you are not allowing any attributes to be released**
My LDAP setup definied with the principalAttributeMap an entry 'mail' which is
logged correctly as
DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for testuser: {displayName=Test User, [email protected],
memberOf=[CN=allusers,OU=Users,DC=mydomain,DC=local]}>
The attributeFilter in the serviceRegistryDao/registeredServices should allowed
the mail attribute, because of the regex filter .*(mail).*
But nevertheless, the filter logged following debug message:
DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] -
<Received 0 attributes. Filtered and released 0>
For me it looks like the attributes are comming from the ldap to the
authenticationManager but then they are not pass to the service?!
I don't know what to do...
-----Original Message-----
From: Christopher Myers [mailto:[email protected]]
Sent: Donnerstag, 30. April 2015 15:43
To: [email protected]
Subject: RE: [cas-user] CAS 4.0 LDAP attributes to registered services
Also, make sure the CAS URL you're referencing has ".../p3/..." in it, such as:
https://portal.millikin.edu/cas/p3/serviceValidate?ticket=ST-3-KVPbJUgg6hpI32knvrJq-CAS_HOST_1&service=https%3A%2F%2Fportal.millikin.edu%2Fmuportal%2Fsecure%2F
Otherwise, everything can be configured correctly, but no attributes will be
released.
>>> Misagh Moayyed <[email protected]> 04/30/15 4:39 AM >>>
Possibly because you are not allowing any attributes to be released:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#config
uration
Also, do please review this section as well:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#attrib
ute-filters
Your filter says: filter the collection of attributes received to only
include those that have the word "mail" in them. But it received none,
because nothing is allowed.
-----Original Message-----
From: Simon [mailto:[email protected]]
Sent: Thursday, April 30, 2015 1:19 AM
To: [email protected]
Subject: [cas-user] CAS 4.0 LDAP attributes to registered services
Hello,
I'm using CAS 4.0 on Tomcat 8.0 with Oracle Java JVM 1.8.0
The authentication against a LDAP directory which is managed by a
Microsoft Active Directory Server 2008 R2 works as expected.
But the LDAP attributes are not passed to the service.
The class PolicyBasedAuthenticationManager debugs the correct attribute
map with all correct values at the moment of the authentication on the CAS
server.
But these attributes are not passed to the registered services.
The class RegisteredServiceRegexAttributeFilter debugs that it received 0
attributes.
And also my phpCAS 1.3.3 gives me an empty array for
phpCAS::getAttributes() - but the correct username with phpCAS::getUser().
Has anyone an idea where my mistake is?
Thank you very much for your help!
My deployerConfigContext.xml is:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="firstLDAP" value="#{null}" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean
class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
</property>
</bean>
<bean id="firstLDAP"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="sAMAccountName"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="displayName" />
<entry key="mail" value="mail" />
<entry key="memberOf" value="memberOf" />
</map>
</property>
</bean>
... see complete config at
http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#act
ive-directory-authentication
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="1" />
<property name="name" value="All Websites" />
<property name="serviceId" value="^(https?)://.*" />
<property name="evaluationOrder" value="0" />
<property name="attributeFilter">
<bean
class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter"
c:regex=".*(mail).*" />
</property>
</bean>
</list>
</property>
</bean>
My debug log is:
INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler successfully authenticated testuser+password>
DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <No
resolver configured for LdapAuthenticationHandler. Falling back to
handler principal testuser>
INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated testuser with credentials [testuser+password].>
DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for testuser: {displayName=Test User, [email protected],
memberOf=[CN=allusers,OU=Users,DC=mydomain,DC=local]}>
Audit trail record ... Slf4jLoggingAuditTrailManager ...
CookieRetrievingCookieGenerator ... DefaultTicketRegistry ...
DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://192.168.0.1/castest/>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster] found in registry.>
DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] -
<Received 0 attributes. Filtered and released 0>
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to
return for service [All Websites] is [testuser]. The default principal id is
[testuser].>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket
[ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster] from registry>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster]>
INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN ...>
DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated
service ticket ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster for service
[http://192.168.0.1/castest/]>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
